Fortinet black logo

New Features

Support SSL mirroring in proxy mode

Copy Link
Copy Doc ID de1e129a-0283-11ea-8977-00505692583a:908020
Download PDF

Support SSL mirroring in proxy mode

SSL mirroring allows the FortiGate to decrypt and mirror traffic to a designated port. Previously, this was supported in flow mode. Support for proxy mode has been added. A new decrypted traffic mirror profile can be applied to IPv4, IPv6, and explicit proxy firewall policies. Full SSL inspection must be used in the policy for the traffic mirroring to occur.

Note

When upgrading to FortiOS 6.4.0, the original ssl-mirror and ssl-mirror-intf profiles will be replaced with a new firewall decrypted-traffic-mirror profile named __upg_pol_<#>. The default destination MAC is all FF, and the default source is client.

To configure SSL mirroring in proxy mode in the GUI:
  1. Go to Policy & Objects and create a new policy, or edit an existing one. This example uses a firewall policy.
  2. In the policy settings, ensure the following are configured:
    1. The Inspection Mode is set to Proxy-based.
    2. The SSL Inspection profile uses Full SSL Inspection (if needed, click the pencil icon next to the dropdown to view the inspection profile settings).
  3. Enable the Decrypted Traffic Mirror toggle. The terms of use will appear in a separate pane.
  4. Click Agree.

  5. Beside the toggle, click Create to configure a new decrypted traffic mirror and adjust the settings as needed. In this example, the client is the decryted traffic source and port3 is the interface.
  6. Click OK to save the traffic mirror settings.

  7. Click OK to save the policy settings.
To configure SSL mirroring in proxy mode in the CLI:
  1. Create the decrypted traffic mirror profile:
    config firewall decrypted-traffic-mirror
        edit SSL-to-port3
            set dstmac ff:ff:ff:ff:ff:ff
            set traffic-type ssl
            set traffic-source client
            set interface port3
        next
    end
  2. Configure the policy to enable SSL traffic mirroring:
    config firewall policy
        edit 1
            set inspection-mode proxy
            set ssl-ssh-profile deep-inspection
            set decrypted-traffic-mirror SSL-to-port3
    		
            THIS IS A LEGALLY BINDING AGREEMENT BETWEEN YOU, THE USER AND ITS ORGANIZATION ("CUSTOMER"), AND FORTINET. BEFORE YOU CONTINUE WITH THE TERMS AND CONDITIONS OF THIS CONTRACT (THE "FEATURE ENABLEMENT") CAREFULLY READ THE TERMS AND CONDITIONS OF THIS AGREEMENT. BY ENTERING YES, YOU, AS AN AUTHORIZED REPRESENTATIVE ON BEHALF OF CUSTOMER, CONSENT TO BE BOUND BY AND BECOME A PARTY TO THIS AGREEMENT ("AGREEMENT") AND YOU REPRESENT THAT YOU HAVE READ AND UNDERSTAND THIS AGREEMENT AND HAVE HAD SUFFICIENT OPPORTUNITY TO CONSULT WITH COUNSEL, PRIOR TO AGREEING TO THE TERMS HEREIN AND ENABLING THIS FEATURE. IF YOU HAVE ANY QUESTIONS OR CONCERNS, OR DESIRE TO SUGGEST ANY MODIFICATIONS TO THIS AGREEMENT, PLEASE CONTACT YOUR FORTINET SUPPORT REPRESENTATIVE TO BE REFERRED TO FORTINET LEGAL. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, DO NOT CONTINUE WITH THE ACCEPTANCE PROCESS. BY ACCEPTING THE TERMS AND CONDITIONS HEREIN, CUSTOMER HEREBY AGREES THAT:
    
            1. Customer represents and warrants that Customer, not Fortinet, is engaging this feature.
    
            2. Customer represents and warrants that Customer has provided the requisite notice(s) and obtained the required consent(s) to utilize this feature.
    
            3. Customer represents and warrants that Customer will only access data as necessary in a good faith manner to detect malicious traffic and will put in place processes and controls to ensure this occurs.
    
            4. Customer represents and warrants that Customer has the right to enable and utilize this feature, and Customer is fully in compliance with all applicable laws in so doing.
    
            5. Customer shall indemnify Fortinet in full for any of the above certifications being untrue.
    
            6. Customer shall promptly notify Fortinet Legal in writing of any breach of these Terms and Conditions and shall indemnify Fortinet in full for any failure by Customer or any of its employees or representatives to abide in full by the Terms and Conditions above.
    
            7. Customer agrees that these Terms and Conditions shall be governed by the laws of the State of California, without regards to the choice of laws provisions thereof and Customer hereby agrees that any dispute related to these Terms and Conditions shall be resolved in Santa Clara County, California, USA, and Customer hereby consents to personal jurisdiction in Santa Clara County, California, USA.
    
            Do you want to continue? (y/n)y
        next
    end

Support SSL mirroring in proxy mode

SSL mirroring allows the FortiGate to decrypt and mirror traffic to a designated port. Previously, this was supported in flow mode. Support for proxy mode has been added. A new decrypted traffic mirror profile can be applied to IPv4, IPv6, and explicit proxy firewall policies. Full SSL inspection must be used in the policy for the traffic mirroring to occur.

Note

When upgrading to FortiOS 6.4.0, the original ssl-mirror and ssl-mirror-intf profiles will be replaced with a new firewall decrypted-traffic-mirror profile named __upg_pol_<#>. The default destination MAC is all FF, and the default source is client.

To configure SSL mirroring in proxy mode in the GUI:
  1. Go to Policy & Objects and create a new policy, or edit an existing one. This example uses a firewall policy.
  2. In the policy settings, ensure the following are configured:
    1. The Inspection Mode is set to Proxy-based.
    2. The SSL Inspection profile uses Full SSL Inspection (if needed, click the pencil icon next to the dropdown to view the inspection profile settings).
  3. Enable the Decrypted Traffic Mirror toggle. The terms of use will appear in a separate pane.
  4. Click Agree.

  5. Beside the toggle, click Create to configure a new decrypted traffic mirror and adjust the settings as needed. In this example, the client is the decryted traffic source and port3 is the interface.
  6. Click OK to save the traffic mirror settings.

  7. Click OK to save the policy settings.
To configure SSL mirroring in proxy mode in the CLI:
  1. Create the decrypted traffic mirror profile:
    config firewall decrypted-traffic-mirror
        edit SSL-to-port3
            set dstmac ff:ff:ff:ff:ff:ff
            set traffic-type ssl
            set traffic-source client
            set interface port3
        next
    end
  2. Configure the policy to enable SSL traffic mirroring:
    config firewall policy
        edit 1
            set inspection-mode proxy
            set ssl-ssh-profile deep-inspection
            set decrypted-traffic-mirror SSL-to-port3
    		
            THIS IS A LEGALLY BINDING AGREEMENT BETWEEN YOU, THE USER AND ITS ORGANIZATION ("CUSTOMER"), AND FORTINET. BEFORE YOU CONTINUE WITH THE TERMS AND CONDITIONS OF THIS CONTRACT (THE "FEATURE ENABLEMENT") CAREFULLY READ THE TERMS AND CONDITIONS OF THIS AGREEMENT. BY ENTERING YES, YOU, AS AN AUTHORIZED REPRESENTATIVE ON BEHALF OF CUSTOMER, CONSENT TO BE BOUND BY AND BECOME A PARTY TO THIS AGREEMENT ("AGREEMENT") AND YOU REPRESENT THAT YOU HAVE READ AND UNDERSTAND THIS AGREEMENT AND HAVE HAD SUFFICIENT OPPORTUNITY TO CONSULT WITH COUNSEL, PRIOR TO AGREEING TO THE TERMS HEREIN AND ENABLING THIS FEATURE. IF YOU HAVE ANY QUESTIONS OR CONCERNS, OR DESIRE TO SUGGEST ANY MODIFICATIONS TO THIS AGREEMENT, PLEASE CONTACT YOUR FORTINET SUPPORT REPRESENTATIVE TO BE REFERRED TO FORTINET LEGAL. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, DO NOT CONTINUE WITH THE ACCEPTANCE PROCESS. BY ACCEPTING THE TERMS AND CONDITIONS HEREIN, CUSTOMER HEREBY AGREES THAT:
    
            1. Customer represents and warrants that Customer, not Fortinet, is engaging this feature.
    
            2. Customer represents and warrants that Customer has provided the requisite notice(s) and obtained the required consent(s) to utilize this feature.
    
            3. Customer represents and warrants that Customer will only access data as necessary in a good faith manner to detect malicious traffic and will put in place processes and controls to ensure this occurs.
    
            4. Customer represents and warrants that Customer has the right to enable and utilize this feature, and Customer is fully in compliance with all applicable laws in so doing.
    
            5. Customer shall indemnify Fortinet in full for any of the above certifications being untrue.
    
            6. Customer shall promptly notify Fortinet Legal in writing of any breach of these Terms and Conditions and shall indemnify Fortinet in full for any failure by Customer or any of its employees or representatives to abide in full by the Terms and Conditions above.
    
            7. Customer agrees that these Terms and Conditions shall be governed by the laws of the State of California, without regards to the choice of laws provisions thereof and Customer hereby agrees that any dispute related to these Terms and Conditions shall be resolved in Santa Clara County, California, USA, and Customer hereby consents to personal jurisdiction in Santa Clara County, California, USA.
    
            Do you want to continue? (y/n)y
        next
    end